vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-12 14:20:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
spawn/packages/cli/src/hetzner
History
A 9624141844
fix(security): expand $HOME before path validation in downloadFile (#3080) 
Fixes #3080

Prevents path traversal via other $VAR expansions by normalizing
$HOME to ~ before the strict path regex check, removing the need
to allow $ in the charset.

Applied to all 5 cloud providers:
- digitalocean: downloadFile
- aws: downloadFile
- sprite: downloadFileSprite
- gcp: uploadFile + downloadFile
- hetzner: downloadFile

Also bumps CLI version to 0.27.7.

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 19:56:05 +00:00
..
agents.ts fix: standardize ESM import extensions across 35 production files (#2827) 2026-03-20 08:51:40 -07:00
billing.ts fix: standardize ESM import extensions across 35 production files (#2827) 2026-03-20 08:51:40 -07:00
hetzner.ts fix(security): expand $HOME before path validation in downloadFile (#3080) 2026-03-30 19:56:05 +00:00
main.ts fix: remove docker from --fast and fix docker cp into container (#2976) 2026-03-25 14:52:05 +07:00